CVE-2024-45285
📋 TL;DR
This CVE-2024-45285 vulnerability in SAP's RFC-enabled function module allows low-privileged authenticated users to perform denial-of-service attacks against other users and modify/delete their favorite nodes. By sending specially crafted packets targeting specific parameters, attackers can lock targeted users out of SAP GUI functionality. This affects SAP systems with vulnerable RFC function modules.
💻 Affected Systems
- SAP NetWeaver Application Server ABAP
- SAP GUI
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Targeted users completely lose access to SAP GUI functionality, requiring administrative intervention to restore access, while attackers can manipulate user interface preferences.
Likely Case
Low-privileged users disrupt colleagues' work by locking them out of SAP GUI, causing productivity loss until access is restored.
If Mitigated
With proper network segmentation and access controls, impact is limited to internal disruption with quick recovery possible.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of specific RFC function module parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3488039
Vendor Advisory: https://me.sap.com/notes/3488039
Restart Required: Yes
Instructions:
1. Download SAP Note 3488039 from SAP Support Portal. 2. Apply the correction instructions provided in the note. 3. Restart affected SAP systems as required.
🔧 Temporary Workarounds
Restrict RFC Access
allLimit access to vulnerable RFC function modules to authorized users only
Use SAP transaction code SM59 to review and restrict RFC destinations
Use transaction code SE37 to review function module authorizations
Implement Network Controls
allSegment SAP systems and restrict RFC traffic to trusted networks
Configure firewall rules to limit RFC port access (typically port 33xx)
🧯 If You Can't Patch
- Implement strict role-based access control to limit which users can access RFC function modules
- Monitor RFC traffic for unusual patterns and implement alerting for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check if SAP Note 3488039 is applied using transaction code SNOTE or check system version against affected versions listCheck Version:
Use SAP transaction code SM51 to check system information and applied notesVerify Fix Applied:
Verify SAP Note 3488039 implementation status and test that low-privileged users cannot access the vulnerable RFC function module📡 Detection & Monitoring
Log Indicators:
- Unusual RFC function module calls from low-privileged users
- Multiple failed GUI login attempts for specific users following RFC calls
Network Indicators:
- Unusual RFC traffic patterns to specific function modules
- RFC packets with crafted parameters targeting user sessions
SIEM Query:
source="sap_rfc_logs" AND (function_module="vulnerable_module_name" AND user_privilege="low")